cybergate | 687e17197517592369bb2783d4dc90f1a9177be7adc7fc901b68c1e07130a998

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe
Size

356KB
MD5

648cb8c726d6ac5047e24f4c3aad44c2
SHA1

7bb03b62a9855254b5ba8e77d237af0e174735e5
SHA256

687e17197517592369bb2783d4dc90f1a9177be7adc7fc901b68c1e07130a998
SHA512

67f07eccf2bf7c3e6f7c26f52643f7f6183ec922ce10f96acf5d4cb068a8b3684ad29900ab5a3971e6d8afb07e72ed6a37adf54fa1b78bac9f67294582b86ba9
SSDEEP

6144:pOU8+8HEGVr8Kd/sHsXlIeN7t01hMY17QTxLxpZKEouNpGq:R8+8XDFOsSU7t0tlQ1Lxrou6

Score

10^/10

cybergate remote persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

remote

madmeye.no-ip.org:100

Mutex

D538D0I1RTHNXP

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
WinDir
install_file
Svchost.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
cybergate
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7804GEI4-72HM-AHYM-8WC4-V0R5EMVBFE76}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7804GEI4-72HM-AHYM-8WC4-V0R5EMVBFE76}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7804GEI4-72HM-AHYM-8WC4-V0R5EMVBFE76}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7804GEI4-72HM-AHYM-8WC4-V0R5EMVBFE76}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4832	Svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-15-0x0000000010410000-0x0000000010475000-memory.dmp	upx
behavioral2/memory/2360-75-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/404-80-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4032-152-0x0000000010560000-0x00000000105C5000-memory.dmp	upx
behavioral2/memory/404-984-0x0000000010480000-0x00000000104E5000-memory.dmp	upx
behavioral2/memory/4032-1438-0x0000000010560000-0x00000000105C5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe"	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\Svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\WinDir\	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	vbc.exe
2360	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4032	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	404	explorer.exe
Token: SeRestorePrivilege	404	explorer.exe
Token: SeBackupPrivilege	4032	vbc.exe
Token: SeRestorePrivilege	4032	vbc.exe
Token: SeDebugPrivilege	4032	vbc.exe
Token: SeDebugPrivilege	4032	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 3436 wrote to memory of 2360	3436	648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe	85
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56
PID 2360 wrote to memory of 3528	2360	vbc.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\648cb8c726d6ac5047e24f4c3aad44c2_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4032
    - - C:\Windows\SysWOW64\WinDir\Svchost.exe
        
        "C:\Windows\system32\WinDir\Svchost.exe"
        5⤵
        Executes dropped EXE
        
        PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin2.txt

Filesize
224KB

MD5
15a09daf1403484eab8da89fff8dd49f

SHA1
2d93770db7a58c7a883c95ab6c836d118cbb195f

SHA256
3fbcf65dc7e453e91016136b6050cab50ac1b21b01f037265ae12c80212ed097

SHA512
e407e5c4c45fffb0e45bcd589d0baff377170a5e07b14d987da674b1d9b41bd2d7c6a0abb48ec08af90693262b93ab4d1d498b54acb9205b351784883a037da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
492e4ea179030587bb445efc74e8c18c

SHA1
daee1fdf96e9749929b7ea834e3618a6d513991d

SHA256
c629cd4b0d4de075048e326077e7d1989bc54ed865687960cdcd8e969f3247f3

SHA512
3f4bee4a04aa50bc416e0c188feda319ad09f64c3d381f0b35043160bc6b8d54029cd07601c81f316099e3a121b3015e094eb3fe87afb1be0f09601274012c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
addaa21202cc6950b0d48cf95a471141

SHA1
37b69e5df9a7a3a046e55683cfa6c18b8aee3ae1

SHA256
2c385f3b0337086c6c75b69f9f561f0d843bc188e46dd3c3c4e1070f02adaf35

SHA512
50c325f1d8927b78b3865fedb166153f264e544c1f050edbf71ed162d61a5adbce59aab5af73fff23191d2f5eaa19d5221a11884ab87727736f02a8757b13996

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
b47af542f3226efd54700925ad4330cc

SHA1
cc50210fd63e216772f933a8983e76453f16bdde

SHA256
d7b6ae91df1b730a393c219e1daa465f89acfc2366e2ebd44455aa99fd328da7

SHA512
4932d9dadcfd2098dcb32d991ce1976342df951b6d9d0965400f67a8f71debb5cec1c5a73e1811063d05a86d811818a2460315cb96c2716cbe127d057781d7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
d4986d7278bba96490beb8ca434f3ef7

SHA1
00c884ff33d1249c3dc20635c0060e40e2f846cf

SHA256
56e713f059bf143e7fc177727b35f0a888a3e048714dd19ed9d2e2ac21c2b227

SHA512
0a1acf2f1eed5b58a92f56bc93a765d37f9d52571377f6cc18a3e56877b70c9fcd346899ffcf150bff4a767b99a3f118e526f59e235b5ff2da1b34f04583a9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c001faac2a901d051f3be6a94a5ccf24

SHA1
b013f6489d071aca2200f273e56409eb9277d28a

SHA256
a86f0164e1919d11ab4afba138011f2b4ed0346eeacf769ef639c188453be528

SHA512
b769e8a5121009047bdc9822aeb237b390512f92674c43837e1086535fa651d06a19da97a678dd78d1c4c6eb4e149ed3032762345681f4e4f556daaa38eb1fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
28b1144a37a59046b90900cb9a21b6dc

SHA1
168c5dd0cf90b0677d29c4565d439c855307fab8

SHA256
edb75ab100bbd3d1174c3e6ec4888ef964535b71e4d054e27065a57c523379e7

SHA512
bb1acf5017fd6b7e24f7e6d5826bfda067e4a42673f5f287bea890055a8831d3c6b0b04e279d54da69f0f31d2f66c53a6ceed46fe315f2bcdd2b513d3ca05394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
928e8ace641efa2d2c27aa0cb9d313ba

SHA1
e8df1006870ab6f08782339e3d95abff018cdd4b

SHA256
da5f0a6548ebba1c25e5e61f0852866e778e694b3cef0680c9bb4f73e05425c0

SHA512
66bffc788fdad930b171c63eebc949256b867aae51dde3eb690cdf726d9e0f44d73dd1e186acbb7ab09bd7f60a4e8940aa04e81785b3442d7c254dce14944f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f5bf1eac14339d8475a2d13a93b772f3

SHA1
9b52e7273606dd56b79a0a659f76a64b19036401

SHA256
0ba0e1eb99886451cb115852af96ccb9354226cb4127959f56fe75d55848a3a1

SHA512
20b0b1e83189b112d32f5881e81b5ea8b79ae11160a80f5c320a9d03155d8ef3ba5413940dffeeed7e8ad588a6e9c6145fd78c3c502ae17e747889c3e3a7ba54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
7ccf825c4708029a31dd5d6a41b079ef

SHA1
3a6107744e1d7f7006b9e189036e7c8927ff7780

SHA256
3760ed70bcd73180be49bb0f8320142dda1e933fae909e72b704854e534ebcc0

SHA512
c4b6a1f056f562527632e6d9fde8be339bc2ee44dc51d7263e9207e79eaa7223359cc164bc2e5b55582411ac9c6c4979dbf308f4aa34aed84eaba4d4182a89da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
83eb4c2352b5b8846ef9fbd1ff5648be

SHA1
a6e3ed5336f75220e6bfcb9c7acabb053fa1649d

SHA256
ed32b9b366bd90d77a890a0f9c0c438ccb30df95b0de78c4be1bbd7a8606d62a

SHA512
45cd38bd63843c1455f7b46103c3b110e4a65486e738f80304d37484e74bf9a685aa9ceea0aeceabc919db08bc484e563a05a8ecb7fb575b2d5d3d4eb4655ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
dc51dc88f9c187b94a65129214acf648

SHA1
f6326dae09fae1c3478dcbde787ad69b5a928a03

SHA256
99e37ba0851c247b0cdcdcc1e500f7735f33738061daef2f6ebb2282520b3715

SHA512
d6378a404f2a022249ac656f1b752df92586f8aedc65743c5e2ba2747725863a36af72c88483bb3fc3bee137c8a71c136f0308c61373ce1fdaccca07616ce552

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
c852fbf4c1c789e188892e893d0354f8

SHA1
b48125c3edf996faec069f191c32641bb5e8d7f6

SHA256
9d3c4c1e73b342caa938d6461399046387555de29fc3f606eacbe8b8fbc590cc

SHA512
efe1e01c3fd29217401a6062bdf4241c321ac28c734a6ec4e6911d08c93fc9211a6c2acc4c98754856e79b0baa21dd57d770386c38d53874051ab6e2534560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
6c77148fd02105d11502ad82ced15e1f

SHA1
5accbdb1489f2b66b08b8a4c229e45a88daccd9d

SHA256
168e4abd256054ccf1050705eabd714204096b50db4d2f6fcb3724aef558b6fd

SHA512
73b3757a86d3972c528999fd391d0a65fd7a6a66518f74783445be40bb29a16c29f4b4488d361cdd4cfb9de31be8e24ab253277eaad4cb7668b71ea9e34c6037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
8d1c5f325492b311c57ed45e357a210b

SHA1
10e75486127f4912580fda2c41cf88ca7c57886f

SHA256
9d7b8b5e072e9c844a698c71fa9be87db61dec1ce56624d2d9d9354b801c9e92

SHA512
335f1a057c598b59d4cb23e36db439707e241b71a438591cce2b6408513e63954d514cd42c9ed99fff9b19cdbc8fb5f76c75bb19fcc974ff6179be24af0c8c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
f658ff6ca25c3ba5a9a09aa3c6ecb44b

SHA1
5c2e77a6706ab6ec5cf753e72e92cf214bd8cb4a

SHA256
d68cc31614b92420656b8176a5ea859e5bc69ba0566d48097f0d02d1937d5d7d

SHA512
93bf15b70432a6216a9d0c4298e2f6522883448c5ed11853a342c2393bd79471b89676e726c41da5d04704c5e274b03b0fdc89a060bd8b741ae0e0cdd33ec5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
3d51941170e1ec18e33d6913e2599c7c

SHA1
f19c6969dcea62d7ed2f0130fd5a85d8e88397a0

SHA256
b120158e963cc095bdf8d42fbd4560451693e6ffc936a4bf11f3f5183d51bee9

SHA512
461fa9ece834c5b0aeb6735cfd5b643fa0363f9430b0f8f7e0ab47c5fbb9fee685c33779232026cfd69c9b905b8796baf2f6d7c2ca0a35c78173eb9eed995916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
2e4a387fc771df9b9bee763c5565a7d1

SHA1
96e53bb10f1255ddb791858c7796c4d6f3d7d20b

SHA256
faf1a19f56acbcdd4087192bf55759263336e27d254e722c195b2c7332bb98de

SHA512
819ed8d59e212a8217c7cd952e870a96aa303616f624cd840bdd4d1adc6d0a8ed29e0385d86368c8c476776e14948a9c1ced882923b406a3e537327ef3f9275b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin7

Filesize
8B

MD5
06b1caf463a34ce1ee9aa36676b0d337

SHA1
8be07b3b1c1f91b8815490d0941b169c3d510d38

SHA256
e5547ba716a08fa1e08084615a8062a56003ceadad6268fb46eb48208466aae0

SHA512
c4312ee3887492c2dae29082889ef0c5fa6d7df5d0c41da2cfea1db05d08aabe53efe6e4158aac90133d3cde38295a3120a4b1ac90cb0b1a4b1a6ced243db8b9

Download Submit
C:\Users\Admin\AppData\Roaming\Adminlog.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\WinDir\Svchost.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/404-20-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/404-19-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/404-984-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/404-80-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2360-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2360-75-0x0000000010480000-0x00000000104E5000-memory.dmp

Filesize
404KB

Download
memory/2360-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2360-15-0x0000000010410000-0x0000000010475000-memory.dmp

Filesize
404KB

Download
memory/2360-9-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2360-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2360-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3436-0-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/3436-11-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-2-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/3436-1-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4032-1438-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download
memory/4032-152-0x0000000010560000-0x00000000105C5000-memory.dmp

Filesize
404KB

Download